A cartoon-style image of Agnes looking at a large EU document with the label 'NIS2', surrounded by question marks and checklists.

What Does NIS2 Mean for Your Company? (2026 Update)

General, NIS2

May 2026 update: The Dutch Tweede Kamer (House of Representatives) approved the Cyberbeveiligingswet on April 15, 2026. The bill is now with the Eerste Kamer (Senate), where the DIGI and Justice & Security committees are scheduled to provide input on May 19. If the Senate approves it on schedule, the law takes effect July 1, 2026. If you operate in the Netherlands and haven't assessed whether NIS2 applies to you, you have roughly two months left. Everything below explains what the directive requires, how the Dutch implementation works, and where to start.

The original NIS Directive from 2016 was the EU's first attempt at a unified cybersecurity framework. It covered a narrow set of operators in energy, transport, banking, healthcare, water, and digital infrastructure. The problem? It left too much room for interpretation. Member states implemented it differently, enforcement was inconsistent, and entire sectors that had become critical to daily life were left out.

NIS2, adopted in January 2023 and required to be transposed into national law by October 2024, is the EU's correction. Wider scope, stricter obligations, and regulators who can actually do something when companies don't comply. If your company operates in the EU and you haven't looked at NIS2 yet, you're behind.

Who falls under NIS2?

NIS2 splits organizations into two categories: "essential entities" and "important entities." Both have the same core obligations. The difference is in how they're supervised. Essential entities get proactive oversight: audits, inspections, the works. Important entities are supervised reactively, usually after an incident or a complaint.

Essential entities are in sectors like energy, transport, banking, healthcare, drinking water, digital infrastructure (data centers, DNS providers, cloud services), and public administration. Important entities cover postal services, waste management, chemicals, food production, manufacturing, and research organizations.

The general size threshold: 50 or more employees, or annual turnover above 10 million euros. But there are exceptions. Some organizations qualify regardless of size, like DNS service providers, top-level domain registries, and providers of public electronic communications networks.

Here's the part that catches people off guard. Even if your company doesn't meet the thresholds directly, you can still be affected. If you're a supplier or subcontractor to an entity that falls under NIS2, expect contractual requirements to trickle down. Your client's compliance becomes your problem.

The Cyberbeveiligingswet: what changes for Dutch companies

NIS2 is the EU directive. The Cyberbeveiligingswet is the Dutch law that implements it. The requirements are largely the same, but the Cyberbeveiligingswet defines how supervision and enforcement work specifically in the Netherlands. It replaces the older Wbni framework (Wet beveiliging netwerk- en informatiesystemen) that covered a much smaller group of organizations.

An estimated 8,000 Dutch organizations will fall under the Cyberbeveiligingswet. That's a big jump from the few hundred covered by the Wbni.

How Dutch supervision works

The NCSC (Nationaal Cyber Security Centrum) is the central coordinating body for cybersecurity in the Netherlands. They handle national incident coordination and serve as the primary CSIRT (Computer Security Incident Response Team).

However, day-to-day supervision isn't all handled by one agency. Sector-specific regulators oversee compliance in their own domains. Think of it like how the AP (Autoriteit Persoonsgegevens) handles GDPR enforcement, but for the Cyberbeveiligingswet, multiple regulators share the load depending on your sector. Which regulator supervises you depends on a ministerial regulation that assigns sectors to specific authorities.

For incident reporting, you report to the NCSC. For compliance supervision and enforcement, you deal with your sector's designated authority.

Four obligations under the Cyberbeveiligingswet

The law introduces four specific duties:

Zorgplicht (duty of care). You must implement appropriate technical and organizational measures to manage cybersecurity risks. This covers risk assessments, access control, encryption, vulnerability management, business continuity, and staff training. "Appropriate" means proportional to your risk profile and the size of your organization. It does not mean "everything possible" but it does mean "documented and defensible."

Meldplicht (incident reporting). Significant cybersecurity incidents must be reported to the NCSC within 24 hours (early warning), followed by a full notification within 72 hours, and a final report within one month. The definition of "significant" will be further specified per sector.

Registratieplicht (registration duty). Organizations in scope must register with their designated supervisory authority. This is new compared to the old framework and gives regulators a clear picture of who falls under the law.

Trainingsplicht voor bestuurders (management training). Board members and management must undergo cybersecurity training. This reinforces the NIS2 principle that cybersecurity is a boardroom responsibility, not something you delegate entirely to IT.

Fines

Essential entities face fines of up to 10 million euros or 2% of global annual turnover, whichever is higher. For important entities: up to 7 million euros or 1.4% of turnover. On top of that, regulators can impose non-monetary sanctions like public disclosure of violations and temporary management bans.

What NIS2 actually requires

The directive lays out cybersecurity risk management measures. On paper, they sound generic. In practice, they demand real work.

Risk assessments mean you need a documented process for identifying threats to your systems and data, evaluating how likely and damaging they are, and deciding what controls to put in place. This isn't a one-time exercise. You revisit it regularly and update it when your environment changes, say when you onboard a new SaaS tool or expand to a new market.

Incident reporting has a strict timeline. If you experience a significant incident, you must submit an early warning to your national authority within 24 hours. A full incident notification follows within 72 hours, and a final report is due within one month. For a 30-person company without a dedicated security team, that means having a response plan and clear internal responsibilities before something goes wrong. You don't want to figure out who calls the regulator while the servers are down.

Supply chain security is where NIS2 diverges most from the original directive. You're now required to assess and manage cybersecurity risks in your supply chain: evaluate your vendors' security practices, set contractual requirements, and monitor whether they actually hold up their end. If your cloud provider or managed service provider gets breached and you haven't done due diligence, that's on you.

Beyond these, NIS2 also requires business continuity management, encryption and access control policies, vulnerability handling procedures, and cybersecurity training for staff and management. Board-level accountability is written into the directive. Management bodies can be held personally liable for failures to comply. That one tends to get boardroom attention.

What changed from the original NIS Directive?

Scope, enforcement, and supply chain. All three got substantially reworked.

The original directive covered roughly seven sectors. NIS2 covers eighteen. Food production, waste management, manufacturing, and others that were previously outside the framework are now in.

Enforcement got real teeth. Essential entities face fines of up to 10 million euros or 2% of global annual turnover, whichever is higher. Important entities: up to 7 million euros or 1.4% of turnover. Member states can also impose non-monetary sanctions like public disclosure of violations and temporary management bans.

And supply chain security moved from "best practice" to legal obligation. Regulators can examine not just your security posture, but whether you've properly assessed the risks introduced by your vendors.

What to do now (Dutch companies)

If you haven't started yet, don't panic. But the Cyberbeveiligingswet is targeting July 1, 2026. That's about two months away.

Figure out if you're in scope. Check your sector against the list above, and check your size (50+ employees or 10M+ turnover). If you supply services to organizations that are in scope, you'll face contractual requirements even if the law doesn't apply to you directly. When in doubt, prepare as if you're covered. The cost of preparation is far lower than the cost of scrambling after enforcement starts.

Understand your supervisory authority. Once the Cyberbeveiligingswet takes effect, you'll need to register with the regulator designated for your sector. The NCSC is the national coordinator and your contact for incident reporting. Your sector regulator handles compliance oversight. If you're not sure who your sector regulator is, the NCSC website will publish a registry once the law is in force.

Run a gap analysis. Compare what you have today against the four duties: duty of care (do you have documented security measures and risk assessments?), incident reporting (do you have a response plan with clear responsibilities and timelines?), registration (are you aware of the requirement?), and management training (has your board been briefed on their personal liability under this law?).

Assign someone to own it. NIS2 requires a responsible person, and "responsible" means accountable, with authority to make decisions and budget to act on them. Not someone who gets this dropped on their desk alongside their actual job.

Document everything. Regulators want evidence. Record your security measures, risk assessments, vendor evaluations, and incident procedures now. Trying to reconstruct this after the fact is painful and unconvincing.

Get your supply chain in order. Map your vendors, assess their security posture, get contractual safeguards in place. For most SMBs, this is where the biggest gap sits. Your cloud provider, IT service provider, and SaaS tools all need to be evaluated and documented.

How ComplianceHive helps

ComplianceHive gives you a structured starting point instead of a blank spreadsheet. You can track all your tools and vendors in one place, flag which ones process sensitive or critical data, and document security measures and ownership per tool. When audit time comes or an incident happens, your records are already organized.

The platform is built for teams that don't have a full-time compliance department. It won't write your policies for you, but it gives you the framework to manage vendors, track obligations, and show that you're taking NIS2 seriously, without drowning in paperwork.

NIS2 is not just for IT teams

This directive touches legal, operations, procurement, and the board. Management is explicitly on the hook. IT can't carry this alone, and shouldn't have to.

The companies that handle NIS2 well won't necessarily be the ones with the biggest security budgets. They'll be the ones that started early, picked someone to own it, and wove compliance into how they already work, rather than treating it as a separate project.

Want to get NIS2-ready without starting from scratch? Try ComplianceHive for free and bring structure to your compliance efforts.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free